Banner object (1)

5089 policies in database
  Back Link to program      
12/02/2020
Kindred Group logo
Thanks
Gift
Hall of Fame
Reward

Reward

Kindred Group

Kindred Group Security Page

Welcome!

Kindred Group looks forward to working with the security community to find security vulnerabilities in order to keep our businesses and customers safe. Kindred Group will make a best effort to respond to incoming reports within 5 business days, validate the report within 10 business days, and make a bounty determination after validating a legitimate security issue within 10 business days. We’ll try to keep you informed about our progress throughout the process.


Rules of Engagement

Violation of any of these rules may result in ineligibility for a bounty and/or removal from the program.

Program Rules

  • Only test against accounts you own or accounts that you have explicit permission from the account holder to test against
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service
  • Notify us immediately if any sensitive information is accessed throughout the course of your testing.
  • Do not perform any social engineering against users or Kindred Group employees
  • Do not run automated scans (see below)
  • Do not test the physical security of Kindred Group offices, employees, equipment, etc.
  • Do not perform DoS or DDoS attacks
  • Do not attack our end users, or engage in trade of stolen user credentials
  • Do not publicly disclose vulnerabilities or otherwise share vulnerabilities with a third party without Kindred Group's express written permission
  • Current and former employees are not permitted to take part in the bounty program

Automated Scans

  • Please do not run automated scans. They will cause an impact to our systems and services which means long days at the office.
  • If we determine that you are running automated scans against our infrastructure, we may decide to reward a lower amount than usual. If you continue to run automated scans without our explicit permission, you may be removed from the program.

Bounty Eligibility & Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue and we’ll make every effort to quickly resolve the issue
  • Follow HackerOne's disclosure guidelines
  • Submit one bug per report
  • Please provide detailed steps for reproducing the bug. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Multiple bugs caused by one underlying issue will be rewarded one bounty.
  • When submitting a report, please consider the attack scenario / exploitability of the bug, as well as its security impact

Setting up an Account

To help our fraud systems, please create an account using your HackerOne email alias - username@wearehackerone.com.


Scope

Only the Assets listed in the structured Scope section below are considered eligible for a bounty. Please carefully review this section before submitting a report.

Please note: Before submitting a bug report, please check the target domain's DNS records to ensure that it is not an alias of an out-of-scope domain.

Platforms

There are two platforms which our various brands run on. All brands and geographic TLDs that run on the same platform share the same code. In situations where a specific bug affects all brands on the same platform, we will only reward the initial report for that bug, as one fix will solve the bug on all brands running on the same platform.

For reference, these are the brands hosted on each of the platforms:

Platform 1 | Platform 2
---|---
Unibet | MariaCasino
Storspelare/Storspiller | Kolikkopelit
Bingo | iGame
| CasinoHuone

Out of Scope components

The following components on our sites are developed by third parties and served through iframes. These components, and anything similar, are out of scope, with the exception of any components specifically listed in our Scope section.

  • Games (including Casino, Live Casino, etc)
  • Poker
  • Bingo
  • Sports

Out of Scope bugs

  • Clickjacking on pages with no sensitive actions
  • Unauthenticated/logout/login CSRF
  • Missing HTTP security headers
  • Missing best practices in SSL/TLS configuration
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies
  • Attacks requiring MITM or physical access to a user's device
  • Previously known vulnerable libraries without a working Proof of Concept
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability
  • Any activity that could lead to the disruption of our service (DoS/DDoS)
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Descriptive error messages (e.g. Stack Traces, application or server errors)
  • Fingerprinting / banner disclosure on common/public services
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Application or web browser 'autocomplete' or 'save password' functionality
  • Username / email enumeration
  • Account lockout not enforced
  • Brute-forcing user credentials
  • Weak password policies
  • Host header injection without exploitation
  • Self-XSS or XSS that only affects out-of-date browsers
  • Mail configuration issues including SPF, DKIM, and DMARC settings
  • Vulnerabilities that relays on Flash.
  • 0day vulnerabilities will require a 30/60 day cool-down period

Out of Scope bugs for mobile apps

  • Absence of certificate pinning
  • Any kind of sensitive data stored in app private directory
  • Any URIs leaked because a malicious app has permission to view opened URIs
  • Application crashes due to malformed URL schemes
  • Crashes due to malformed Intents sent to exported Activity/Service/BroadcastReceive (exploiting these for sensitive data leakage is commonly in scope)
  • Exposure of non-sensitive data on the device
  • Lack of binary protection (anti-debugging) controls
  • Lack of exploit mitigations
  • Lack of obfuscation
  • Pasteboard leakage
  • Sensitive data in URLs/request bodies when protected by TLS
  • User data stored unencrypted on the device or on external storage
  • Vulnerabilities in third party libraries without showing specific impact to the target application (e.g. a CVE with no exploit)
  • Vulnerabilities requiring a rooted, jailbroken, or otherwise modified device

Thank you for helping keep Kindred Group and our users safe!

In Scope

Scope Type Scope Name
ios_application

https://itunes.apple.com/gb/app/unibet-casino-slots-games/id905382680

ios_application

https://itunes.apple.com/gb/app/unibet-live-sports-betting/id463335337

other

https://cdn.unicdn.net/apk/UnibetCasino.apk

other

https://cdn.unicdn.net/apk/UnibetSports.apk

other
web_application

*.unibet.com

web_application
  • unibet.se
web_application
  • be.unibet.com
web_application

*.storspiller.com

web_application

*.bingo.com

web_application

*.mariacasino.com

web_application

*.kolikkopelit.com

web_application

*.casinohuone.com

web_application

*.igame.com

web_application

com.unibet.casino

web_application

com.unibet.unibetpro

web_application

relaxcdn.unibet.com

Out of Scope

Scope Type Scope Name
web_application

ads*.unibet.com

web_application
  • ads.unibet.com
web_application
  • ads-cdn.unibet.com
web_application
  • adserving.unibet.com
web_application

livechat.unibet.com

web_application

kindredgroup.com

web_application

kindredaffiliates.com

web_application

unibet.fr

web_application

link.bingo.com

web_application

a1s.unibet.com

web_application

*nj.unibet.com

web_application

cdn2.unibet.com

web_application

*pa.unibet.com


This program have been found on Hackerone on 2020-02-12.

FireBounty © 2015-2020

Legal notices